How to Secure Your PC’s Disk Drives with BitLocker

You can bring encryption to your hard drive and USB flash drives using the Windows BitLocker tool.

Concerned about someone accessing your PC’s hard drive or flash drives and reading the information on them? You can add an extra layer of protection to all your drives with the Windows BitLocker feature. Designed to work on both internal and external drives, BitLocker encrypts your drives to prevent unauthorized access. As such, BitLocker is especially useful on a laptop or on flash drives that may get lost or stolen and fall into the wrong hands.

BitLocker is not a substitute for your regular Windows password or other means of authentication. Rather BitLocker detects if someone tries to use your hard drive or flash drives on another PC or tries to boot up your PC using a DVD or flash drive. In that event, BitLocker prevents access to your encrypted drive. So, you should still have a Windows login password or other security method to safeguard your operating system.

BitLocker has been around since Windows Vista days and continues to be an option with Windows 10. BitLocker is automatically built into Windows as part of the operating system, though it’s turned off by default. You can enable the feature through its icon in Control Panel or by accessing the drive you want to encrypt in File Explorer or Windows Explorer.

To use BitLocker, you need to be running one of the following flavors of Windows: Windows Vista Ultimate or Enterprise; Windows 7 Ultimate or Enterprise; Windows 8 Pro or Enterprise; Windows 8.1 Pro or Enterprise; Windows 10 Pro, Enterprise, or Education; or Windows Server 2008 and later.

You’ll also need a hard drive with at least two partitions – a system partition that houses the files needed to load Windows and an operating system partition that stores Windows itself. Most computers these days come with at least these two partitions. If you need to create a second partition, you can follow the steps in Microsoft’s Windows BitLocker Drive Encryption Step-by-Step Guide.

Ideally, you’ll want a computer with a Trusted Platform Module (TPM). A TPM is a dedicated security chip designed to authenticate your computer system as a form of protection against unauthorized changes or access. How do you know if your PC includes a TPM? BitLocker checks when you try to enable the feature. To find out beforehand, open Control Panel in icon view. Click on the icon for Device Manager. At the Device Manager window, look for a setting for Security devices with an entry for Trusted Platform Module 1.2 or later. If you find it, you’re good to go.

If there is no setting for Security devices or for TPM, you can try to enable it in the BIOS. To do this, reboot your PC and press the appropriate key to enter the BIOS. Look for a tab for Security and a setting for TPM or Security Chip. Enable or Activate it if it’s turned off. No setting for Security or TPM? You’re not out of luck.

If your computer doesn’t have a TPM chip, you can still use BitLocker, but you’ll have to take the following steps: Open the Group Policy Editor by pressing Win + R and typing gpedit.msc in the Open field of the Run box. In the Group Policy Editor, navigate to the following location: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. At the right pane, double-click on the setting to Require additional authentication at startup. Click on the button for Enabled. Make sure the option to Allow BitLocker without a compatible TPM is checked. Read the information in the Help section to find out the requirements for running BitLocker this way. Click OK to close the current window and then close the Group Policy Editor.

You’ll also be asked to create a recovery key that you can save to your Microsoft account or store on a USB drive or in a file. The recovery key is necessary if you ever have problems accessing your encrypted drive.

The steps for using BitLocker differ slightly based on which version of Windows you use. That’s because Microsoft has tweaked the feature overtime. However, the basic process is the same. I’ll use Windows 10 as my testbed here, but if you’re using a different flavor of Windows, you shouldn’t have trouble getting BitLocker up and running.

Okay, let’s set up BitLocker. Open Control Panel in icon view and click on the icon for BitLocker Drive Encryption. Next to your C drive, click on the link to Turn on BitLocker.

Windows analyzes your system to determine if it supports BitLocker. If you have a TPM chip, you’ll see a screen that asks how you want to back up your recovery key: 1) Save it to your Microsoft account; 2) Save to a USB flash drive; 3) Save it to a file; or 4) Print it. If you’re comfortable saving it to your Microsoft account, that’s fine. But if you’d rather not store it online, pick the option to save it to a USB drive or file. Click Next.

If your computer doesn’t have a TPM chip, you’re first given two options: 1) Store a startup key (different than the recovery key) on a USB flash drive that you’ll plug in each time you power up your PC; or 2) Enter a password each time you boot up. Choose your preferred option. If you selected a USB flash drive, make sure you have a drive plugged into your PC. Click Save to save the startup key. If you went the password route, type and then retype a strong but memorable password. You’ll then see the same screen described above to choose how you want to store your recovery key. Choose your Microsoft account, a USB drive, or a file. Click Next.

Windows then asks if you want to encrypt used disk space only or the entire hard drive. If your PC is new and doesn’t contain much data, you can opt for the first option; otherwise choose to encrypt the whole drive. Click Next.

If you’re running Windows 10, you’re then asked if you want to use a new type of disk encryption mode. If you’re encrypting an internal hard drive, choose the new mode. Click Next. At the next screen for computers with or without a TPM chip, you’re asked to run a BitLocker system check to make sure BitLocker can read the recovery and encryption keys. Make sure that option is checked. Click Continue. And then restart your computer.

To restart a PC without a TPM, you’ll need to plug in the USB drive with the startup key or enter the password, depending on which option you chose. On a PC with a TPM, no password or other authentication method is required. That’s because the security key is built into the chip and serves to detect any unauthorized access to your PC’s hard drive. Again, you’ll still want to have a strong Windows password or other security method to prevent someone from logging into your operating system.

Open BitLocker Drive Encryption from Control Panel. You should see that BitLocker is in the process of encrypting your drive. You can go about your work while the drive is being encrypted.

After the encryption has completed, BitLocker will show that it’s turned on.

Now, let’s say you want to encrypt a USB flash drive. Plug the drive in your computer and open BitLocker Drive Encryption. You should see your flash drive listed with the description: BitLocker off. Click on the drive letter of your flash drive and then click on the link to Turn on BitLocker.

Windows asks how you want to unlock this drive, either using a password or a smart card PIN. Choose the password option and then type and retype a strong password. Click Next. You’re then asked how you want to back up your recovery key: 1) Save to your Microsoft account; 2) Save to a file; or 3) Print the key. Choose your preferred option. Click Next. The next screen asks if you want to encrypt only the used disk space or the entire drive. Select your preferred option. Click Next. If you’re using Windows 10, you’re then asked if you want to use the new encryption mode or the compatible mode. Choose the compatible mode. Click Next. And at the next screen, click on the Start encrypting button. BitLocker encrypts your flash drive.

When the encryption is complete, click the Close button. The next time you plug that flash drive into a computer, you’ll be asked for the password to unlock it.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.